1. Field
The following description relates to a Distributed Denial of Service (DDoS) attack detection and defense apparatus and method of a router in an Internet Protocol (IP) network.
2. Description of the Related Art
Typical distributed Denial of Service (DDoS) attack defense methods for use in routers include a black hole routing technique or a sink hole routing technique, which are widely used by internet service providers (ISPs). The black hole routing technique, which is also referred to as null routing, is characterized by forwarding all traffic to the Null0 interface, which is a virtual interface, to drop the traffic. However, since, according to the black hole routing technique, all traffic is routed to the Null0 interface, an attack target server may not be able to continue to provide services, which is the exact purpose of a DDoS attack.
Access control list (ACL)-based packet filtering may also be used as a DDoS attack defense method. The ACL-based packet filtering method is generally used in core routers or backbone switches and is useful especially when a large-scale UDP attack or DDoS attack is identified. However, the ACL-based packet filtering method lacks precision. Thus, the ACL-based packet filtering method may not be able to properly handle TCP attacks or large-scale IP address spoofing, and may result in an increase in the cost of management. For example, to reduce the cost of management, the ACL-based packet filtering method may be applied only to an attack target system. In this example, the attack target system may not be able to continue to provide services, which is the goal of a DDoS attack.
A security equipment-based defense method may also be used as a DDoS attack defense method. The security equipment-based defense method may be characterized by defending an attack target system against a DDoS attack using firewalls or an intrusion prevention system (IPS). The security equipment-based defense method may utilize existing router systems and may respond to various attack patterns including layer-7 attacks. However, in the security equipment-based defense method, the performance of a whole service network may be considerably affected by the performance of security equipment, and the service network may be highly vulnerable to a large-scale DDoS attack. In addition, the security equipment-based defense method requires high-bandwidth security equipment, which is very expensive.